Secure Backup software with asymmetric encryption RSA, openSSL

Hi,
I need backup solution/software to backup data on usb keys and secure it with public key,
asymmetric encryption.
I know how to create public/private key, how to encrypt/decrypt single file.
But I dont know how to make script than can encrypt folder with multiple files and move encrypted files to another location.

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Your best bet is to use whole disk encryption on the usb device - PGP sell a version of WDE that uses RSA keys, (actually, pgp keys, so other algos supported) - although symmetric keys are fine for that provided you keep them unique - and once mounted, you can just drag files onto there, and indeed treat the usb drive as you would any other usb device (with the only real difference being once dismounted, the usb will be unreadable without the key to re-mount it)

btan's suggestion of 7z is a good one though. while 7z doesn't use asymmetric keys, you could easily write a simple text file to hold a randomly generated symmetric key, use the symmetric key to encrypt an entire directory structure into an archive (optionally hiding the file names) then encrypt the text file with the hybrid scheme of your choice (ssl, pgp, whatever)

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

indeed manual backup is not going to be very operationally friendly and if script failed - will script be smart enough to recover, and alert instead of skipping and left files not protected yet copy over...too many permutation for own scripting. It is always best to have some sort of NAS / SAN encryption where possible, but cost is a deterrence. However, we cannot be penny wise pound foolish.

...even bitlocker is already some sort of disk encryption and you can identify data volume (if that is the place to store the backup copies. Other similar approach using encrypted volume where a partition is assigned to be encrypted and eventually back it up (there is secure container from truecryp and axcrypt), likewise if it is VM based then it is a file by itself

Ironkey is great product, weak point is backup, which is secured/encrypted with user password and can be brute forced.
We need asymmetric encryption, with public 4096 bit key

I used this command OpenSSL to encrypt file, with asymmetric encryption I get problem to decrypt files they are larger then 800MB
smime -encrypt -aes256 -in archive.zip -binary -outform DEM -out archive_encrypted.zip main_public.pem

well, first you want to compress THEN encrypt - encrypted data is not compressible.

but if you look at your own command examples, you will find you are using AES@256 bit for your encryption, and protecting only the key with RSA. If your script does this explicitly (using "7z a -p" and a pseudorandomly generated password) you then have the simpler task of how to use RSA to protect a short pw string.

you can of course just use "7z a" to create an unencrypted archive then encrypt that archive with openssl (using the command you posted) but you then need sufficient staging space to stage the backup before you can encrypt it. with "7z a -p" you could encrypt and write the 7z archive directly to the nas in a single operation, then just need to securely transfer the password and you are done - and that can even be added into the same 7z archive after it is created, to give you a single-file backup - for that you would be more likely to use rsautl (rather than smime) and supply the password on stdin, with output being to something like <backup-datestamp>.key - which you than use "7z a" (without -p, obviously) to append to your existing backup 7z file. no staging space needed, no certificate needed (you just need the public key) and only decryptable with the aid of the private key (which you will then need to keep very safe :)

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.